The Neosploit cybercrime group abandons its web malware exploitation kit

The end of the Neosploit web malware exploitation kit? RSA's FraudAction Research Labs recent monitoring of ongoing communications between Neosploit team members and their potential customers indicates so.

The end of the Neosploit web malware exploitation kit? RSA's FraudAction Research Labs recent monitoring of ongoing communications between Neosploit team members and their potential customers indicates so. The Neosploit malware kit has been around since the middle of 2007, with prices varying between $1000 and $3000, whose main differentiation factors next to its popular alternatives such as MPack and Icepack, were its customer support and the constant updates, including new javascript obfuscation routines and exploits as they were made available, its multi-user command and control interface, as well as the improved metrics and filtering of infected hosts.

Is this really the end of Neosploit? Could be, but it's definitely not the end of web malware exploitation kits in general :

"In mid-July, however, evidence showed that Neosploit's successful business was running into problems. It is likely that Neosploit was finding it difficult to sustain its new customer acquisition rate, and that its existing customers were not generating enough revenue to sustain the prior rate of development. These problems appear to have been too much of a burden, and we now believe that the Neosploit development team has been forced to abandon its product. Like any responsible business, the Neosploit team is trying to be remembered as a good business that might one day return. Our sources reported that they took the time and effort to part properly with an "out of business" announcement. Or as the translation goes:

"Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself. We tried hard to satisfy our clients' needs during the last few months, but the support had to end at some point. We were 1.5 years with you and hope that this was a good time for your business."

Let's discuss their business model, how other cybercriminals disintermediated it thereby ruining it, and most importantly, how is it possible that such a popular web malware exploitation kit cannot seem to achieve a positive return on investment (ROI).

The short answer is - piracy in the IT underground, and their over-optimistic assumption that high-profit margins can compensate the lack of long-term growth strategy, which in respect to web malware exploitation kits has do with the benefits coming from converging with traffic management tools. Let's discuss some key points.

You cannot pitch an open source malware kit as a proprietary one

Neosploit, just like the majority of other web malware kits, are open source, which means the customer can add new functions and exploits, enjoying the malware kit's modularity. Neosploit Team's business model was relying on the wrong assumption that charging thousands of dollars for a proprietary malware kit with the idea to position it as exclusive one could result in a high-growth business model. Moreover, according to their statement that the amount of time spend on the "product" isn't justifying itself wrongly implies that it takes a great deal of time to embedd a publicly available exploit code for a recent vulnerability into the while, while in reality it doesn't.

Namely, they are easy to obtain, and even easier to use even by those who're not familiar with Russian. This commoditization directly ruined the business model, and among the main reasons why the Neosploit Team is stopping the support of their malware kit, is mainly because they're no longer feeling comfotable being used as the foundation for someone else's successful malware attack. However, the open source nature of the malware kits is directly resulting in an unknown number of modified malware kits using the publicly ones as a foundation to build and add new features on. This fact makes it a bit irrelevant to count and keep track of which and how many exploits are included within a particular kit, since the number will only be valid for this particular copy of the kit.

The again, when you have 637 million Google users surfing with insecure browser and getting exploited with "last quarter's critical browser vulnerability", why bother introducing zero day vulnerabilities within your kit when outdated and already patched ones seems to achieve such a high success rate of infection anyway?

Today's international script kiddies are empowered with localized versions of sophisticated web malware exploitation kits courtesy of Russian hackers, seems like globalization in action. The Neosploit Team may be abandoning support for their malware kit, but they're so not abandoning the current malware campaigns they manage using it.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.